Security
Headlines
HeadlinesLatestCVEs

Tag

#ruby

GHSA-qcj6-vxwx-4rqv: Decidim vulnerable to data disclosure through the embed feature

### Impact If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed. ### Patches version 0.27.6 https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705 ### Workarounds Disallow access through your web server to the URLs finished with `/embed.html`

ghsa
#vulnerability#web#git#ruby
GHSA-8qgm-g2vv-vwvc: RailsAdmin Cross-site Scripting vulnerability in the list view

### Impact RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. The issue was originally reported in https://github.com/railsadminteam/rails_admin/issues/3686. ### Patches Upgrade to [3.1.3](https://rubygems.org/gems/rails_admin/versions/3.1.3) or [2.3.0](https://rubygems.org/gems/rails_admin/versions/2.3.0). ### Workarounds 1. Copy the index view (located under the path `app/views/rails_admin/main/index.html.erb`) from the RailsAdmin version you use, and place it into your application by using the same path. 2. Open the view file by an editor, and remove `strip_tags` from the title attribute: ```diff <% properties.map{ |property| property.bind(:object, object) }.each do |property| %> <% value = property.pretty_value %> - <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= strip_tags(value.to_s) %>"> + ...

Gentoo Linux Security Advisory 202406-03

Gentoo Linux Security Advisory 202406-3 - A vulnerability has been discovered in RDoc, which can lead to execution of arbitrary code. Versions greater than or equal to 6.6.3.1 are affected.

The Marvin Attack

The Marvin Attack is a new side-channel attack on cryptographic implementations of RSA in which the attacker decrypts previously captured ciphertext by measuring, over a network, server response times to specially crafted messages. The attacker also may forge signatures with the same key as the one used for decryption. Red Hat published the principles and technical background of the Marvin Attack in September of 2023.Since that time, we have identified lots of other vulnerable implementations and have shipped fixes. Note that most of the CVEs in applications that use OpenSSL have only received

Ubuntu Security Notice USN-6838-1

Ubuntu Security Notice 6838-1 - It was discovered that Ruby RDoc incorrectly parsed certain YAML files. If a user or automated system were tricked into parsing a specially crafted .rdoc_options file, a remote attacker could possibly use this issue to execute arbitrary code. It was discovered that the Ruby regex compiler incorrectly handled certain memory operations. A remote attacker could possibly use this issue to obtain sensitive memory contents.

Ubuntu Security Notice USN-6837-1

Ubuntu Security Notice 6837-1 - It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service.

Red Hat Security Advisory 2024-3838-03

Red Hat Security Advisory 2024-3838-03 - An update for ruby is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

Red Hat Security Advisory 2024-3671-03

Red Hat Security Advisory 2024-3671-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-3670-03

Red Hat Security Advisory 2024-3670-03 - An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 8.